System and method for performing a predictive threat assessment based on risk factors

ABSTRACT

A system and method for evaluating data in a monitoring network are provided. A processing server obtains monitoring device data from a number of monitoring devices. The processing server processes and stores the monitoring device data according to one or more unique identifiers. Utilizing decision logic, the processing server evaluates the monitoring device data to generate one or more predictive assessments. Each predictive assessment can result in the initiation of actions or notification of authorized personnel based upon the likelihood of a target event occurring.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims the benefit of U.S. Provisional PatentApplication No. 60/352,094, filed Jan. 25, 2002. Provisional ApplicationNo. 60/352,094 is specifically incorporated herein by reference.

FIELD OF THE INVENTION

In general, the present invention relates to computer software, hardwareand communication networks, and in particular, to a system and methodfor predictive data assessment in a monitoring network.

BACKGROUND OF THE INVENTION

Generally described, monitoring systems are used to obtain informationfrom a variety of elements. In a representative use, a securitymonitoring system may provide real-time data reflecting the currentstatus of a monitored environment, such as a physical location within agiven premises. For example, a security guard may use a computerterminal to obtain video data from a number of cameras in order toassess the status of a premises. Accordingly, many conventional securitymonitoring systems can assist users in evaluating whether a securitybreach, or other monitoring issue, has occurred (e.g., whether there isan unauthorized presence within the premises). Further, some securitymonitoring systems, upon the detection of a condition, are operable toinitiate a number of reactive measures. For example, the monitoringsystem may alert an appropriate authority, or notify one or moreauthorized users.

Although the traditional security monitoring system obtains informationregarding the status of various aspects of a monitored environment, suchas the status of physical devices or the presence or location ofindividuals, the outputs from most traditional security monitoringnetwork data are fundamentally reactive in nature. With reference to theprevious example, if a security monitoring system obtains motiondetection data from a monitored premises, the data output, for thetraditional security monitoring network is typically limited to adetermination of whether motion occurred and whether the detected motionis authorized. Both of these outputs are reactive in nature. Similarly,if a security monitoring network obtains live video data, the dataoutput for the traditional monitoring network will be a transmission ofthe incoming video data to a display terminal, or more reactive, thearchival of the video data. Clearly, the traditional security monitoringnetwork cannot predict when motion will be detected or what the contentsof the video motion may be. Thus, most, if not all, monitoring networks,are designed for, and therefore limited to, reactive data processing.

Although it may not be possible to predict events, particularly thoselinked to human behavior, with total accuracy, there are a variety ofsituations in which one or more factors may be utilized to establish alikelihood of an event occurring. In some limited situations, a singleinputted factor, or condition, may have a sufficiently strongassociation with a target event such that the presence of the factorwill likely determine whether the target event will occur. Morecommonly, however, the presence of a number of inputted factors, whichif considered in isolation would have a limited association with atarget event, may cumulatively indicate the likelihood of the targetevent occurring.

As applied to security monitoring networks and security processingservices, the processing of data for the purpose of to the identifyingan individual, such as facial recognition, fingerprint, retinal scan,and the like, may be useful for assessing security threats when the dataused to identify an individual is linked to data linking that individualto a potential threat, based upon past behavior or other known riskfactors In many instances, the risk factors may be unrelated to aspecific individual, such as a state of alert at a premises. There are anumber of situations in which the processing of multiple data inputs toproduce a predictive threat assessment, that is, to process multipledata inputs to assess the likelihood of a target event, is clearlybeneficial.

With reference to a security monitoring system implementation, there isan undeniable benefit from generating a threat assessment based onprocessing a wide variety of factors. For example, considered inisolation, the purchasing of a one-way airline ticket may not pose asufficient threat to require additional investigation on behalf of lawenforcement authorities. However, if the one-way ticket purchase isconsidered in conjunction with information, such as the purchase of theticket with cash or the absence of checked baggage, the cumulativeinformation could generate a threat assessment requiring at least someadditional follow up, such as an automated notification to a perform ansearch at a security checkpoint. With another potential embodiment, astoreowner may wish to generate a reward assessment based upon predictedconsumer's actions. In these situations, and many others, the datainputs can be interpreted to facilitate future actions. In each of theseexamples, however, because the assessment is not reactive, conventionalmonitoring systems are not well suited to provide such services.

Thus, there is a need for a system and method for utilizing associativemonitoring data, such as biometric data, to generate future threatassessments. More specifically, there is a specific need for a systemand method for utilizing associative security monitoring data togenerate predictive threat assessments.

SUMMARY OF THE INVENTION

A system and method for evaluating data in a monitoring network areprovided. A processing server obtains monitoring device data from anumber of monitoring devices. The processing server processes and storesthe monitoring device data according to one or more unique identifiers.Utilizing decision logic, the processing server evaluates the monitoringdevice data to generate one or more predictive assessments. Eachpredictive assessment can result in the initiation of actions ornotification of authorized personnel based upon the likelihood of atarget event occurring.

In accordance with an aspect of the present invention, a system forprocessing monitoring device data is provided. The system includes atleast one monitoring device for obtaining monitoring device datacorresponding to at least one identifiable target. The system alsoincludes a first processing server for obtaining the monitoring devicedata and processing the monitoring device data according to at least oneprocessing rule. The system further includes a processing rules datastore having processing rules corresponding to one or more targets in amonitored premises. The first processing server utilizes processingrules from the processing rules data store to perform a predictiveanalysis on the monitoring device data and to generate at least oneoutput indicative of a result of the predictive analysis.

In accordance with another aspect of the present invention, a method forprocessing monitoring device is provided. The method may be implementedin a monitoring device system having at least one monitoring device, aprocessing system, and a processing rules data store. In accordance withthe method, a processing system obtains monitoring device datacorresponding to at least one identifiable target. The processing systemobtains at least one processing rule corresponding to the identifiabletarget from the processing rules data store. The processing systemprocesses the monitoring device data according to the at least oneprocessing rule. The processing of the monitoring device data includesperforming a predictive analysis of the monitoring device data. Theprocessing system further generates an output corresponding to theprocessing of the monitoring device data.

In accordance with a further aspect of the present invention, a systemfor processing monitoring device data is provided. The system includesat least one information collection computing device for obtainingmonitoring device data from a number of monitoring devices. Themonitoring device data corresponds to at least one identifiable target.The system further includes a central processing server in communicationwith the at least one information collection computing device andoperable to receive the monitoring device data corresponding to at leastone identifiable target. The system also includes a processing rulesdata store having processing rules corresponding to one or moreidentifiable targets. The central processing server obtains a processingrule corresponding to the at least one target, performs a predictiveanalysis of the monitoring device data according to the processing rule,and generates at least one output corresponding to the predictiveanalysis.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing aspects and many of the attendant advantages of thisinvention will become more readily appreciated as the same become betterunderstood by reference to the following detailed description, whentaken in conjunction with the accompanying drawings, wherein:

FIG. 1 is a block diagram of a representative portion of the Internet;

FIG. 2 is a block diagram of an action assessment system formed inaccordance with the present invention;

FIG. 3 is a block diagram illustrative of an action assessment systemincluding a central processing server and one or more external datasources formed in accordance with the present invention;

FIG. 4 is a block diagram illustrative of an action assessment systemincluding a central server and two external data sources formed inaccordance with an alternative embodiment of the present invention;

FIG. 5 is a block diagram of an illustrative architecture for a premisesserver formed in accordance with the present invention;

FIG. 6 is a block diagram of an illustrative architecture of a centralprocessing server formed in accordance with the present invention; and

FIGS. 7A and 7B are flow diagrams illustrative of an action assessmentprocessing routine implemented by a premises or central processingserver in accordance with the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

As described above, aspects of the present invention are embodied in aWorld Wide Web (“WWW”) or (“Web”) site accessible via the Internet. Asis well known to those skilled in the art, the term “Internet” refers tothe collection of networks and routers that use the Transmission ControlProtocol/Internet Protocol (“TCP/IP”) to communicate with one another. Arepresentative section of the Internet 20 is shown in FIG. 1, where aplurality of local area networks (“LANs”) 24 and a wide area network(“WAN”) 26 are interconnected by routers 22. The routers 22 are specialpurpose computers used to interface one LAN or WAN to another.Communication links within the LANs may be wireless, twisted wire pair,coaxial cable, or optical fiber, while communication links betweennetworks may utilize 56 Kbps analog telephone lines, 1 Mbps digital T-1lines, 45 Mbps T-3 lines or other communications links known to thoseskilled in the art.

Furthermore, computers 28 and other related electronic devices can beremotely connected to either the LANs 24 or the WAN 26 via a digitalcommunications device, modem and temporary telephone, or a wirelesslink. It will be appreciated that the Internet 20 comprises a vastnumber of such interconnected networks, computers, and routers and thatonly a small, representative section of the Internet 20 is shown in FIG.1.

The Internet has recently seen explosive growth by virtue of its abilityto link computers located throughout the world. As the Internet hasgrown, so has the WWW. As is appreciated by those skilled in the art,the WWW is a vast collection of interconnected or “hypertext” documentswritten in HyperText Markup Language (“HTML”), or other markuplanguages, that are electronically stored at or dynamically generated by“WWW sites” or “Web sites” throughout the Internet. Additionally,client-side software programs that communicate over the Web using theTCP/IP protocol are part of the WWW, such as JAVA® applets, instantmessaging, e-mail, browser plug-ins, Macromedia Flash, chat and others.Other interactive hypertext environments may include proprietaryenvironments such as those provided in America Online or other onlineservice providers, as well as the “wireless Web” provided by variouswireless networking providers, especially those in the cellular phoneindustry. It will be appreciated that the present invention could applyin any such interactive communication environments, however, forpurposes of discussion, the Web is used as an exemplary interactivehypertext environment with regard to the present invention.

A Web site is a server/computer connected to the Internet that hasmassive storage capabilities for storing hypertext documents and thatruns administrative software for handling requests for those storedhypertext documents as well as dynamically generating hypertextdocuments. Embedded within a hypertext document are a number ofhyperlinks, i.e., highlighted portions of text which link the documentto another hypertext document possibly stored at a Web site elsewhere onthe Internet. Each hyperlink is assigned a Uniform Resource Locator(“URL”) that provides the name of the linked document on a serverconnected to the Internet. Thus, whenever a hypertext document isretrieved from any Web server, the document is considered retrieved fromthe World Wide Web. Known to those skilled in the art, a Web server mayalso include facilities for storing and transmitting applicationprograms, such as application programs written in the JAVA® programminglanguage from Sun Microsystems, for execution on a remote computer.Likewise, a Web server may also include facilities for executing scriptsand other application programs on the Web server itself.

A remote access user may retrieve hypertext documents from the WorldWide Web via a Web browser program. A Web browser, such as Netscape'sNAVIGATOR® or Microsoft's Internet Explorer, is a software applicationprogram for providing a user interface to the WWW. Upon request from theremote access user via the Web browser, the Web browser requests thedesired hypertext document from the appropriate Web server using the URLfor the document and the HyperText Transport Protocol (“HTTP”). HTTP isa higher-level protocol than TCP/IP and is designed specifically for therequirements of the WWW. HTTP runs on top of TCP/IP to transferhypertext documents and user-supplied form data between server andclient computers. The WWW browser may also retrieve programs from theWeb server, such as JAVA applets, for execution on the client computer.Finally, the WWW browser may include optional software components,called plug-ins, that run specialized functionality within the browser.

Referring now to FIG. 2, an actual embodiment of an action assessmentsystem 200 formed in accordance with the present invention will bedescribed. The action assessment system 200 facilitates the processingof multiple data inputs obtained from a number of monitoring deviceslocated within one or more physical premises. The action assessmentsystem processes the monitoring device data according to one or moreprocessing rules, which can be system controlled or premises-specific.Based on an evaluation of the inputs and a corresponding rule, theaction assessment system 200 generates an action assessment.Accordingly, the system 200 can implement a system response, includingthe request and processing of additional information. In an illustrativeembodiment of the present invention, the action assessment system 200may be utilized to generate security threat assessments. However, oneskilled in the relevant art will appreciate that the present inventionis not limited to a security threat assessment system and that thedisclosed embodiments are illustrative in nature.

With reference to FIG. 2, the action assessment system 200 includes apremises server 204 assigned to a premises 202 or group of premises 202.In an illustrative embodiment of the present invention, the premisesserver 204 is located physically proximate to the premises 202.Alternately, the premises server 204 may be remote, or physicallyseparated from the premises 202. Moreover, although a single premisesserver 204 is illustrated in FIG. 2, any number of computing devices maybe utilized to implement the present invention.

In accordance with an illustrative embodiment of the present invention,the premises server 204 is in communication with a number of datasources for facilitating communication with various monitoring andoutput devices, for evaluating premises specific rules and/or forstoring the inputted data for evaluation. More specifically, thepremises server 204 is in communication with a user profiles database206 operable to store and recall monitoring device data associated withone or more unique identifiers. The premises server 204 is also incommunication with a premises rules database 208. The premises rulesdatabase 208 is operable to recall one or more premises specific rulesfor evaluating the monitoring data. As will be explained in furtherdetail below, premises rules database 208 can include programmatic anddeclarative rules for utilization by processing systems, including butnot limited to individual automata, neural networks, support vectormachines and any additional learning systems. The premises server 204 isfurther in communication with a device profiles database 210 thatincludes information operable to control and interpret communicationsfrom the various monitoring and output devices connected to the premisesserver 204. One skilled in the relevant art will appreciate that variouscontrol methods may be utilized within the present invention to controlthe monitoring and output devices and obtain corresponding information.Further, one skilled in the relevant art will appreciate that the userprofiles database 206, the premises rules database 208 and the deviceprofiles database 210 may be physically remote from the premises server204 and may be implemented as part of a distributed database network.

As also illustrated in FIG. 2, the premises server 204 can communicatewith one or more monitoring devices 212 via a network connection. A moredetailed description of a network for communicating with monitoringdevices, including the use of one or more device servers, is found inco-pending U.S. Provisional Application No. 60/281,254, entitled SYSTEMAND METHOD FOR MANAGING A DEVICE NETWORK and filed on Apr. 3, 2001, thedisclosure of which is hereby incorporated by reference. In anillustrative embodiment, the monitoring devices 212 can include smoke,fire and carbon monoxide detectors. The monitoring devices 212 can alsoinclude door and window access detectors, glass break detectors, motiondetectors, audio detectors, metal detectors, explosive detectors and/orinfrared detectors. Still further, the monitoring devices 212 caninclude computer network monitors, voice identification devices, videocameras, still cameras, microphones and/or fingerprint, facial, retinal,or other biometric identification devices. Still further, the monitoringdevices 212 may include pressure-sensitive mats or planar surfaces.Still further, the monitoring devices 212 can include conventional panicbuttons, global positioning satellite (“GPS”) locators, other geographiclocators, medical indicators, and vehicle information systems. Themonitoring devices 212 can also be integrated with other existinginformation systems, such as inventory control systems, accountingsystems, reservation systems, point-of-sale (“POS”) terminals/systems,and the like. It will be apparent to one skilled in the relevant artthat additional or alternative monitoring devices 212 corresponding to aspecific monitoring function may be practiced with the presentinvention.

The premises server 204 also communicates with one or more outputdevices 214. In an illustrative embodiment, the output devices 214 caninclude audio speakers, display or other audio/visual displays, or audiodiaphragms for the projection of audio within targeted areas of apremises. The output devices 214 may also include electrical orelectro-mechanical devices that allow the system to perform actions. Theoutput devices 214 can include computer system interfaces, telephoneinterfaces, wireless interfaces, door and window locking mechanisms,aerosol sprayers, and the like. As will be readily understood by oneskilled in the art, the type of output device is associated primarilywith the type of action the action assessment system 200 generates.Accordingly, additional or alternative output devices 214 are consideredto be within the scope of the present invention. In accordance with thepresent invention, the monitoring devices 212 and the output devices 214can be linked together in a computer network environment in whichmultiple premises servers 202 work in parallel, sharing data andprocesses. Moreover, additional premises servers 202, monitoring devices212, and output devices 214 may be joined modularly to provideextensibility to the system 200.

Turning now to FIG. 3, an expanded embodiment of the present inventionwill be explained. In accordance with this embodiment, an actionassessment system 300 includes a number of premises 202 and premisesservers 204 that operate as described with respect to FIG. 2. Each ofthese premises 202 communicates to a central processing facility 302that includes at least one central processing server 304. In anillustrative embodiment of the present invention, the individualpremises 202 can communicate via global communication network such asthe Internet 20, or alternatively via private communication networksand/or communication lines. Similar to the premises server 204, thecentral processing server 304 is in communication with a number of datasources to facilitate processing incoming monitoring device data fromthe premises 202 and communicating with various monitoring deviceswithin each individual premises 202. More specifically, the centralserver 304 includes a user profiles database 306, a premises rulesdatabase 308, and a device profiles database 310. In an illustrativeembodiment of the present invention, the central processing server 304data sources have similar functions to the user profile database 206,premises rules database 208, and device profile database 210 (FIG. 2)and operable to add a second data processing layer to the actionassessment system 300. More specifically, the user profiles database 306is operable to store and recall user profile data for processing thevarious inputs from the monitoring device data. The premises rulesdatabase 308 is operable to provide rules for processing premisesmonitoring device-specific data. In an illustrative embodiment of thepresent invention, the premises rules database may maintain individuallycustomized rules for each premises 202 on the system 300 or a set ofrules applicable to each premises. Finally, the device profiles database310 is operable to interpret and/or control the various monitoringdevices from each premises 202. Similar to the premises databases, thecentral server databases may be physically proximate to the centralserver 304, may be remote or physically separate from the central server304 and implemented as part of a distributed database system.

The action assessment system 300 can also include one or more externaldata sources 312, operable to supply additional information to thecentral processing server 304. In an illustrative embodiment of thepresent invention, the external data sources 312 can include lawenforcement databases, governmental databases, international databases,internal company databases, third-party commercial databases, and thelike.

In accordance with this embodiment of the present invention, thepremises server 204 can obtain and process monitoring device data. Aspart of the processing, the premises server 204 can transmit themonitoring device data and any processing results to the centralprocessing server 204. The central server can obtain the data from theindividual premises 202, process it according to its premises rules togenerate an action assessment. Additionally, the central processingserver 304 may also obtain additional information, such as from theexternal data sources 312, as part of the data processing step, or as aresult of a preliminary data processing. For example, the central server304 could obtain an action assessment and monitoring device data from anindividual premises server 204, and then request additional informationfrom an external data source 312, such as an FBI record database. Inconjunction with its processing rules and the additional data, thecentral processing server 304 may generate one or more actionassessments and implement any number of actions. Accordingly, an actionassessment system 300 can implement multiple layers for processing.

Although a single central processing server 304 is illustrated in FIG.3, one skilled in the relevant art will appreciate that any number ofcentral processing servers 304 may be implemented to process data frompremises servers 204. Moreover, multiple central processing servers 304may be utilized within an action assessment system 300 to generate anynumber of processing layers. For example, a second central processingserver 304 may be utilized to process data from the first centralprocessing server 304.

With reference now to FIG. 4, an alternative embodiment for an actionassessment system 400 will be described. In accordance with thisembodiment, the action assessment system 400 includes a number ofpremises 402 that include a premises server 404, monitoring devices 406,and output devices 408. However, the premises server 404 does notinclude additional data sources, such as a user profile database, apremises rule database or device profile database, to process themonitoring device data. Instead, all of the monitoring device and outputdevice data is transferred to a central server 304 which evaluatesmonitoring device data according to the user profile database 306, apremises rule database 308, and a device profiles database 310,described above. The central server 304 can obtain additional externaldata from an external data source 312. However, one skilled in the artwill appreciate that the central server 304 can then transfer the datato an additional layer (not shown) to implement additional processinglayers.

In accordance with this embodiment of the present invention, theindividual premises 402 no longer have the ability to process themonitoring device data and transfer it to an external source.Additionally, in another embodiment of the present invention, thepremises server 402 may also be omitted such that the monitoring devices406 transmit data directly to the central server 304. Still further, theaction assessment system 400 may be further modified to include acombination of premises 202 (FIG. 2) having a premises server 204 andpremises 402 communicate unprocessed monitoring device data to a centralprocessing server 304. All such embodiments are considered to be withinthe scope of the present invention.

FIG. 5 is a block diagram depicting an illustrative architecture for apremises server 204 (FIG. 2). Those of ordinary skill in the art willappreciate that the premises server 204 includes many more componentsthen those shown in FIG. 5. However, it is not necessary that all ofthese generally conventional components be shown in order to disclose anillustrative embodiment for practicing the present invention. As shownin FIG. 5, the premises server 204 includes a network interface 502 forconnecting directly to a LAN or a WAN, or for connecting remotely to aLAN or WAN. Those of ordinary skill in the art will appreciate that thenetwork includes the necessary circuitry for such a connection, and isalso constructed for use with the TCP/IP protocol, the particularnetwork configuration of the LAN or WAN it is connecting to, and aparticular type of coupling medium. The premises server 204 may also beequipped with a modem for connecting to the Internet through apoint-to-point protocol (“PPP”) connection or a serial-line Internetprotocol (“SLIP”) connection as known to those skilled in the art.

The premises server 204 also includes a processing unit 504, an optionaldisplay 506, an input/output (I/O) interface 508 and a mass memory 510,all connected via a communication bus, or other communication device.The I/O interface 508 includes hardware and software components thatfacilitate interaction with a variety of the monitoring devices via avariety of communication protocols including TCP/IP, X10, digital I/O,RS-232, RS-485 and the like. Additionally, the I/O interface 44facilitates communication via a variety of communication mediumsincluding telephone landlines, wireless networks (including cellular,digital and radio networks), cable networks and the like. In an actualembodiment of the present invention, the I/O interface is implemented asa layer between the server hardware and software applications utilizedto control the individual monitoring devices. It will be understood byone skilled in the relevant art that alternative interfaceconfigurations may be practiced with the present invention.

The mass memory 510 generally comprises a RAM, ROM, and a permanent massstorage device, such as a hard disk drive, tape drive, optical drive,floppy disk drive, or combination thereof. The mass memory 510 stores anoperating system 512 for controlling the operation of the premisesserver. It will appreciated that this component may comprise ageneral-purpose server operating system as is known to those skilled inthe art, such as UNIX, LINUX™, or Microsoft WINDOWS NT®. The memory alsoincludes a WWW browser 50, such as Netscape's NAVIGATOR® or Microsoft'sInternet Explorer browsers, for accessing the WWW.

The mass memory 510 also stores program code and data for interfacingwith various premises monitoring devices, for processing the monitoringdevice data and for transmitting the processed data. More specifically,the mass memory 510 stores a device interface application 514 inaccordance with the present invention for obtaining monitoring devicedata from a variety of devices and for manipulating the data forprocessing. The device interface application 514 comprisescomputer-executable instructions which, when executed by the premisesserver 204 obtains and transmits device data as will be explained belowin greater detail. The mass memory 510 also stores a data processingapplication 512 for processing monitoring device data in accordance withrules maintained within the rules database 208. The mass memory 510further stores an output interface application program 518 fortransmitting processed device data to one or more external systemcomponents. The operation of the data transmittal application 516 willbe described in greater detail below. It will be appreciated that thesecomponents may be stored on a computer-readable medium and loaded intothe memory of the premises server using a drive mechanism associatedwith the computer-readable medium, such as a floppy, CD-ROM, DVD-ROMdrive, or network drive.

FIG. 6 is a block diagram depicting an illustrative architecture for acentral server 304 (FIG. 3). Those of ordinary skill in the art willappreciate that the central server 304 includes many more componentsthen those shown in FIG. 6. However, it is not necessary that all ofthese generally conventional components be shown in order to disclose anillustrative embodiment for practicing the present invention.

As shown in FIG. 6, the central server 304 includes a network interface600 for connecting directly to a LAN or a WAN, or for connectingremotely to a LAN or WAN. Those of ordinary skill in the art willappreciate that the network interface includes the necessary circuitryfor such a connection, and is also constructed for use with the TCP/IPprotocol, the particular network configuration of the LAN or WAN it isconnecting to, and a particular type of coupling medium. The centralserver 304 may also be equipped with a modem for connecting to theInternet 20.

The central server 304 also includes a processing unit 602, an optionaldisplay 604 and a mass memory 606, all connected via a communicationbus, or other communication device. The mass memory 606 generallycomprises a RAM, ROM, and a permanent mass storage device, such as ahard disk drive, tape drive, optical drive, floppy disk drive, orcombination thereof. The mass memory 606 stores an operating system 608for controlling the operation of the central server. It will beappreciated that this component may comprise a general-purpose serveroperating system.

The mass memory 606 also stores program code and data for interfacingwith the premises devices, for processing the device data and forinterfacing with various authorized users. More specifically, the massmemory 606 stores a premises interface application 610 in accordancewith the present invention for obtaining data from a variety ofmonitoring devices and for communicating with the premises server. Thepremises interface application 610 comprises computer-executableinstructions, which, when executed by the central server 304, interfacewith the premises server 204 as will be explained below in greaterdetail. The mass memory 606 also stores a data processing application612 for processing monitoring device data in accordance with rulesmaintained within the rules database 308. The operation of the dataprocessing application 612 will be described in greater detail below.The mass memory 606 further stores an output interface application 614for outputting the processed monitoring device data to a variety ofauthorized users or additional central processing servers 304 inaccordance with the present invention. The operation of the outputinterface application 614 will be described in greater detail below. Itwill be appreciated that these components may be stored on acomputer-readable medium and loaded into the memory of the centralserver using a drive mechanism associated with the computer-readablemedium.

Generally described, the present invention facilitates the collectionand processing of a variety of premises information to generate one ormore action assessments of potential future activity. The system of thepresent invention obtains monitoring data from any one of a variety ofmonitoring devices 212. In an actual embodiment of the presentinvention, the monitoring device data can be categorized as asset data,resource data or event data. Asset data is obtained from a monitoringdevice corresponding to an identifiable object that is not capable ofindependent action. For example, asset data includes data obtained froma bar code or transponder identifying a particular object, such as acomputer, in a particular location. Resource data is obtained from amonitoring device corresponding to an identifiable object that iscapable of independent action. For example, resource data includes datafrom a magnetic card reader that identifies a particular person who hasentered the premises. Event data is obtained from a monitoring devicecorresponding to an on/off state that is not correlated to anidentifiable object. Event data is a default category for all of themonitoring devices. As will be readily understood by one skilled in therelevant art, alternative data categorizations are considered to bewithin the scope of the present invention.

In an illustrative embodiment of the present invention, the monitoringdevice data is obtained by the monitoring devices 212 on the premisesserver 204 and processed according to some form of decision logic. In anactual embodiment of the present invention, the premises servermaintains databases 208 having logic rules for asset data, resource dataand event data. Moreover, because the monitoring device data ispotentially applicable to more than one authorized user, multiple rulesmay be applied to the same monitoring device data. Alternatively, themonitoring device data may be processed according to a weighted decisionlogic, such as a neural network, that does not utilize fixed decisionlogic. Still further, as illustrated in FIGS. 3 and 4, some or all ofthe monitoring device data may be processed by the central server 304according to different processing layer logic rules maintained in thepremises rules database 308.

Based on the evaluation of the decision logic, the premises server 204can generate an action assessment corresponding to the outcome of thethreat assessment (a determined likelihood of a target event occurring).In an illustrative embodiment of the present invention, the actionassessment may be in the form of a numerical indicator that has one ormore actions associated with it. For example, in an airline securitymonitoring embodiment, a numerical action assessment can cause lawenforcement authorities to implement a pre-defined set of actions. Inanother embodiment of the present invention, the action assessment canbe in the form of a set of customized actions initiated by themonitoring system. With reference to the airline security example, acustomized action assessment can be in the form of a transfer of data toan individual, or group of individuals, that are determined to berelevant to the particular set of monitoring device data. Moreover, inyet another embodiment of the present invention, an action assessmentsystem 200, 300 or 400 may utilize a combination of pre-determinednumerical identifiers and customized actions.

With reference now to FIGS. 7A and 7B, a routine 700 for processing anaction assessment implemented by a premises server 204 in accordancewith the present invention will be described. Although routine 700 isdescribed in relation to a premises server 204, the routine 700 may beimplemented by the central server 304, or other similarly configuredcomputing device. With reference to FIG. 7A, at block 702, monitoringdevice data is obtained from one or more monitoring devices. In anillustrative embodiment of the present invention, raw monitoring devicedata may be directly transmitted to the device interface application 514of the premises server 204. Alternatively, some or all of the monitoringdevice data may be pre-processed prior to being obtained by the deviceinterface application 514. Additionally, the monitoring device data canalso include additional information that facilitates the origin of themonitoring device data (e.g., a device identifier) and any otherinformation describing a parameter associated with the collection of thedata (e.g., a time stamp).

At block 704, the data processing application 716 associates one or moreidentifiers corresponding to the monitoring device data. In anillustrative embodiment of the present invention, the unique identifierscan include any identifiable data that can be used to associate themonitoring device data with an individual or other identifiable deviceor resource. For example, a unique identifier can include an individualname, a social security number, a traveler identifier, and the like.Additionally, the unique identifier can include a credit account number,such as a bank account number or credit card number, a license number,serial number, and the like. One skilled in the relevant art willappreciate that some monitoring device data can generate multiple uniqueidentifiers. For example, a record indicating the purchase ofproduct/service can generate unique identifiers corresponding to theindividual making the purchase, the medium utilized to complete thepurchase, and the item purchased.

At decision block 706, a test is conducted to determine whether a recordexists in the user profile database 306 for each unique identifier. Ifno record exits, at block 708, the data processing application 516generates one or more database records corresponding the uniqueidentifier. Once the database record has been created, or if a recordalready exists, at block 710, the data processing application 516populates the record with the corresponding monitoring device data. Inan illustrative embodiment of the present invention, the data processingapplication 516 may include some type of selective processing rules thatallow it populate the record with only a portion of the monitoringdevice data. For example, if the unique identifier relates to apurchase, the data processing application 516 may save only pricinginformation and the medium of purchase. Additionally, the dataprocessing application 516 may be configured to discard some types ofmonitoring device data prior to populating a record. For example, thedata processing application can establish threshold values for some ofthe data, such a price bottom for purchases, to mitigate the collectionof less relevant data.

At block 712, the data processing application 516 obtains rulescorresponding to the modified records and at block 714, generates anaction assessment based upon the evaluation of the rule. In oneembodiment of the present invention, the data processing application mayutilize programmatic rules-based logic to process the monitoring devicedata. In accordance with this embodiment, the data processingapplication 516 associates a value for the monitoring device data andgenerates an action assessment based on the programmatic rule. If morethan one piece of information resides in a particular data record, theprogrammatic rule can include an action assessment based on theevaluation of the combination of data. However, the data processingapplication 516 may include some type of default status in the eventsome values of monitoring device data are not accounted for, or if somecombination of data is not included.

In an illustrative embodiment of the present invention, each premises202 may maintain an independent premises rules database 208 that is notdependent on any other premises. Additionally, each individual premises202 may be configured to allow the various premises 202 on the system toshare data by synchronizing the database records on a periodic basis.Alternatively, the premises rules database 208 may also be configured tobe mirrored to other selected databases on a more immediate basis.Similarly, one or more premises 202 may be configured to allow for thesharing of the premises rules data by the implementation of adistributed database network.

In an alternative embodiment of the present invention, the rules-basedlogic may also be implemented in a declarative manner to provide moreopportunities for system administrators, or other authorized personnel,to customize an action assessment for a particular evaluation of inputsand/or to modify the number of combination of inputs supported by thedata processing application 516. In an illustrative embodiment of thepresent invention, each premises rules database 208 may be populatedwith a pre-defined set of processing rules. Accordingly, to modify therules according to preferences set by each premises, the rules could begenerated, and therefore modified, according to a declarative userinterface. The declarative user interface allows for the modification ofthe processing rules as the monitoring device data is processed.

In yet another embodiment of the present invention, the data processingapplication 516 may utilize a neural network, support vector machine, orother learning system, to establish an action assessment based uponvalues for a given set of inputs. One skilled in the relevant art willappreciate that a learning system includes a randomly selected weightingscale for a given number of inputs. By utilizing a number of trainingdata sets in which an output is known for a given set of inputs, thelearning system could be trained to adjust the weight values for thevarious inputs to generate an appropriate output, or set of outputs. Inaccordance with this embodiment, the data processing application wouldutilize the learning system to generate an output based on values forany number of data inputs and combination of the inputs. Moreover, thepremises rules database 208 could include different weighing schema thatwould allow for modification of the learning system outputs fordifferent factual scenarios. Likewise, in one embodiment, each premiseswould have the capability to modify the weights for each input, tocustomize the processing of the data.

In an alternative embodiment to block 714, the monitoring device datamay not be automatically processed as it is received. Instead, the dataprocessing application 516 may delay the processing of data for a giventime period to allow the collection of multiple information pieces andreduce redundant data processing. Additionally, the data processingapplication 516 may pre-process the monitoring device data prior toapplying a processing rule. For example, the data processing applicationmay utilize finite automata to search for specific types of data toprocess. The data processing application 516 may program a finiteautomata to search for a particular individual or to search for specificcredit card numbers. Alternatively, the data processing application 516may filter monitoring device data according to its source to prioritizeprocessing from different sources. Accordingly, routine 700 can bemodified to incorporate the different embodiments.

Turning now to FIG. 7B, at block 716, the data processing applicationcan return the action assessment. In an illustrative embodiment of thepresent invention, the output interface application 518 can generate logfiles of the action assessment and/or transmit the results of theprocessing to any number of authorized recipients. At decision block718, a test is conducted to determine whether additional action itemsare required. If additional action items are required, at block 720, thedata processing application 516 obtains the action items from thepremises rules database 208. At block 722, the action items areinitiated. In an illustrative embodiment of the present invention, thedata processing application may obtain control information from thedevice profiles database 210 and utilize the output interfaceapplication 518 to generate the corresponding protocols to the outputdevices 214. Additionally, or alternatively, the output interfaceapplication 518 may transmit a request to another layer of processing,such as central processing server 304 (FIG. 3) to request thatadditional data processing take place. Upon the execution of the actionitems, or if no action items exist, the routine 700 terminates at block724.

The systems and routines of the present invention may be incorporated ina number of monitoring environments. In one aspect, the presentinvention may be configured as an airport security assessment system tomonitor airline security risks. In this embodiment, monitoring devicedata may be obtained from reservation systems, travel agencies, check-insystem, airport gates, and the like to assess passenger safety securityassessments. For example, the assessment system would capable ofprocessing a method of payment, destination, number of bags checked andthe FBI criminal database in generating a security assessment.Additionally, the assessment system would also be operable to obtainmonitoring device data, such as video data or cockpit access data, fromindividual airplanes prior to and during a flight as part of theassessment routine.

In another aspect, the present invention may be configured in acommercial sales environment to monitor various aspects of consumersales. In one embodiment, an action assessment system may be configuredto prevent future shoplifting offenses or fraud at a POS terminal. Inthis embodiment, monitoring device data may be obtained from the POSterminals, various inventory items, digital cameras, facial recognitionsystems, and the like. In another embodiment, an action assessmentsystem may be configured to reward consumer spending. In thisembodiment, monitoring device data may be obtained from the POSterminals, third-party credit companies and biometric data.

In yet another aspect, the present invention may be configured in amilitary threat assessment environment. In accordance with this aspect,monitoring device data is obtained from a number of sources includingphysical monitoring devices and intelligence monitoring devices. Forexample, physical monitoring device data can include digital imagecameras, radar images, sonar images, satellite images, and the like,that indicates the likelihood of a monitored activity. The intelligencemonitoring device data can include threat assessments, warnings, pressannouncements, etc. that provide an indication of the likelihood of anactivity being a threatening activity. In accordance with the presentinvention, the central processing server 302 is configured to provide anassessment of a threat to a premises, or other identifiable target, andinitiate an action corresponding to the threat. The initiation of anaction can include a notification to military officials of the threatcategory and a notification to authorized users to initiate an action.The notification to authorized users can also include a selection of oneor more authorized users best suited to respond to the type of threatthat has been assessed. The initiation of an action can also include theinitiation additional monitoring actions such as increased videomonitoring, the activation of special monitoring devices, and/or thesounding of alarms, etc.

While various embodiments of the invention have been illustrated anddescribed, it will be appreciated that various changes can be madetherein without departing from the spirit and scope of the invention.

1. A system for processing monitoring device data, the systemcomprising: at least one monitoring device configured to obtainmonitoring device data corresponding to at least one identifiabletarget; a first processing server configured to obtain the monitoringdevice data and process the monitoring device data according to at leastone processing rule that establishes a relationship between risk factorsused in making a threat assessment that quantifies the probability anevent will occur; a processing rules data store having processing rulescorresponding to one or more targets in a monitored premises and riskfactor data that is linked to occurrences of the event; and wherein thefirst processing server is configured to utilize processing rules fromthe processing rules data store to perform a predictive analysis on themonitoring device data in which one or more risk factors represented inthe monitoring device data are used to calculate a probability that theevent will occur in generating the threat assessment and to generate anotification to authorized personnel of the potential threat if theprobability that the event will occur is higher than a predeterminedthreshold.
 2. The system as recited in claim 1, wherein the processingrules are programmatic rules defined prior to obtaining monitoringdevice data.
 3. The system as recited in claim 1, wherein the processingrules are declarative rules that are received at the processing serverfrom an authorized user during the processing of the monitoring devicedata.
 4. The system as recited in claim 3, wherein the first processingserver dynamically processes the declarative rules with the processingof the monitoring device data.
 5. The system as recited in claim 1,wherein the monitoring device data corresponds to a set of identifiabletargets and wherein the first processing server is further configured toprocess the monitoring device data for at least a subset of the set ofidentifiable targets.
 6. The system as recited in claim 1, wherein thefirst processing server is further configured to perform anon-predictive analysis of the monitoring device data and generate aresult from the non-predictive analysis.
 7. The system as recited inclaim 1, wherein the predictive analysis corresponds to a processing oftwo or more processing rules.
 8. The system as recited in claim 1,wherein the first processing server generates a set of monitoring devicedata corresponding to a collection of monitoring device data for adefined period of time prior to performing the predictive data analysis.9. The system as recited in claim 8, wherein the first processing serverpre-processes the set of monitoring device data.
 10. The system asrecited in claim 9, wherein pre-processing the monitoring device dataincludes selecting a subset of monitoring device data for processing.11. The system as recited in claim 1, wherein the first processingserver is further configured to obtain monitoring device data from aremote computing device and not directly from the monitoring devices.12. The system as recited in claim 11, wherein the monitoring devicedata is collected for a predetermined period of time before thepredictive data analysis is performed.
 13. The system as recited inclaim 12, wherein the first processing server pre-processes the set ofmonitoring device data.
 14. The system as recited in claim 13, whereinpre-processing the monitoring device data includes selecting a subset ofmonitoring device data for processing.
 15. The system as recited inclaim 1, wherein the first processing server is configured to send themonitoring device data over a network and receive a result of thepredictive analysis according to a processing rule.
 16. The system asrecited in claim 15, further comprising a second processing rules datastore corresponding to the second processing server and operable toprovide processing rules to the second processing server.
 17. The systemas recited in claim 15, wherein the second processing server is operableto perform a predictive data analysis of the result of the predictiveanalysis from the first processing server.
 18. The system as recited inclaim 15, wherein the second processing server is operable to obtain aset of processing results from the first processing server and processthe entire set of processing results.
 19. The system as recite in claim15, further comprising a third processing server operable to obtain theresult from the second processing server and process the resultaccording to a processing rule.
 20. The system as recited in claim 1,wherein the result of the predictive analysis corresponds to thegeneration of an indicator of a threat condition.
 21. The system asrecited in claim 1, wherein the result of the predictive analysiscorresponds to the generation of an indicator of an action to beinitiated.
 22. The system as recited in claim 1, wherein the result ofthe predictive analysis corresponds to the initiation of an outputdevice by the first processing server.
 23. The system as recited inclaim 1, wherein the first processing server obtains one or moredeclarative rules from an authorized user and modifies the predictiveprocessing according to the declarative rules.
 24. The system of claim1, wherein the monitoring device data corresponds to commercial salesdata.
 25. The system of claim 24, wherein the predictive analysiscorresponds to a prediction of consumer fraud.
 26. The system of claim24, wherein the predictive analysis corresponds to a prediction ofconsumer spending.
 27. The system of claim 1, wherein the monitoringdevice data corresponds to data associated with a military object andwherein the predictive analysis corresponds to a threat to the militaryobject.
 28. A method for processing device data, comprising: obtainingmonitoring device data from at least one monitoring device correspondingto at least one identifiable target; obtaining at least one processingrule corresponding to the identifiable target from a processing rulesdata store that establishes a relationship between risk factors used inmaking a threat assessment that quantifies the probability an event willoccur; processing the monitoring device data according to the at leastone processing rule, wherein processing the monitoring device dataincludes calculating a probability that an event will occur ingenerating the threat assessment wherein risk factors identified in themonitoring device data that are linked to the occurrence of the eventare used in calculating the probability that the event will occur; andgenerating an output corresponding to the processing of the monitoringdevice data prior to occurrence of the event wherein generating theoutput includes notifying authorized personnel if the probability thatthe event will occur is higher than a predetermined threshold.
 29. Themethod as recited in claim 28, wherein the processing rules areprogrammatic rules defined prior to obtaining monitoring device data.30. The method as recited in claim 28, wherein the processing rules aredeclarative rules defined during the processing of the monitoring devicedata.
 31. The method as recited in claim 30, wherein the declarativerules are dynamically processed with the processing of the monitoringdevice data.
 32. The method as recited in claim 28, wherein themonitoring device data corresponds to a set of identifiable targets andwherein the processing the monitoring device data includes processingthe monitoring device data for a subset of the set of identifiabletargets.
 33. The method as recited in claim 28, wherein processing themonitoring device data includes performing a non-predictive analysis ofthe monitoring device data.
 34. The method as recited in claim 28,wherein processing the monitoring device data includes processing themonitoring device data according to two or more processing rules. 35.The method as recited in claim 28, further comprising pre-processing themonitoring device data.
 36. The method as recited in claim 35, whereinpre-processing the monitoring device data includes collecting monitoringdevice data for a period of time and selecting a subset of the collectedmonitoring device data for processing.
 37. The method as recited inclaim 36, wherein selecting a subset of the collected monitoring devicedata includes filtering the monitoring device data.
 38. The method asrecited in claim 28, wherein generating an output corresponding to theprocessing of the monitoring device data includes transmitting a resultof the processing over a network to a remote device.
 39. The method asrecited in claim 28, wherein generating an output corresponding to theprocessing of the monitoring device data includes generating anindication of a threat condition.
 40. The method as recited in claim 28,wherein generating an output corresponding to the processing of themonitoring device data includes generating an indication of an action tobe initiated by an external party.
 41. The method as recited in claim28, wherein generating an output corresponding to the processing of themonitoring device data includes initiating an output device to performan action corresponding to a processing rule.
 42. The method as recitedin claim 28, further comprising obtaining a set of declarativeprocessing rules from an authorized user, wherein processing themonitoring device data includes processing the monitoring device dataaccording to the declarative processing rules.
 43. The method as recitedin claim 28, further comprising a computer-readable medium.
 44. Themethod as recited in claim 28, wherein the monitoring device datacorresponds to commercial sales data.
 45. The method as recited in claim44, wherein processing the monitoring device data according to at leastone processing rule includes processing the data to obtain a predictionof consumer fraud.
 46. The method as recited in claim 44, whereinprocessing the monitoring device data according to at least oneprocessing rule includes generating a prediction of consumer spending.47. The method as recited in claim 28, wherein the monitoring devicedata corresponds to data associated with the military object and whenprocessing monitoring device data according to at least one processingrule includes a generated predictive analysis corresponding to a threatto the military object.
 48. The method as recited in claim 28, furthercomprising a computer system having a processor, a memory, and anoperating environment.
 49. A system for processing monitoring devicedata, the system comprising: at least one information collectioncomputing device configured to obtain monitoring device data from anumber of monitoring devices, the monitoring device data correspondingto at least one identifiable target; a central processing server incommunication with the at least one information collection computingdevice and operable to receive the monitoring device data correspondingto at least one identifiable target; and a processing rules data storehaving processing rules corresponding to one or more identifiabletargets and risk factor data that is linked to the occurrence of theevent; wherein the central processing server is configured to obtain aprocessing rule corresponding to the at least one target, perform apredictive analysis in which one or more risk factors in the monitoringdevice data are used to calculate a probability that the event willoccur in generating a threat assessment, and generate a notification toauthorized personnel of the potential threat if the probability that theevent will occur is higher than a predetermined threshold.
 50. Thesystem as recited in claim 49, wherein the processing rules areprogrammatic rules defined prior to obtaining monitoring device data.51. The system as recited in claim 49, wherein the processing rules aredeclarative rules defined by an authorized user during the processing ofthe monitoring device data.
 52. The system as recited in claim 51,wherein the central processing server dynamically processes thedeclarative rules with the processing of the monitoring device data. 53.The system as recited in claim 49, wherein the monitoring device datacorresponds to a set of identifiable targets and wherein the centralprocessing server processes the monitoring device data for at least asubset of the set of identifiable targets.
 54. The system as recited inclaim 49, wherein the central processing server further performs anon-predictive analysis of the monitoring device data and generates aresult from the non-predictive analysis.
 55. The system as recited inclaim 49, wherein the predictive analysis corresponds to a processing oftwo or more processing rules.
 56. The system as recited in claim 49,wherein the information collection information devices generates a setof monitoring device data corresponding to a collection of monitoringdevice data for a defined period of time prior to transmitting the setof monitoring device data to the central processing server.
 57. Thesystem as recited in claim 56, wherein the information collection serverpre-processes the set of monitoring device data.
 58. The system asrecited in claim 57, wherein pre-processing the monitoring device dataincludes selecting a subset of monitoring device data for processing.59. The system as recited in claim 49, wherein the central processingserver pre-processes the monitoring device data prior to processing themonitoring device data according to a processing rule.
 60. The system asrecited in claim 59, wherein pre-processing the monitoring device dataincludes selecting a subset of monitoring device data for processing.61. The system as recited in claim 49, further comprising a secondprocessing server operable to obtain the result of the predictiveanalysis from the central processing server and process the resultaccording to a processing rule.
 62. The system as recited in claim 61,further comprising a second processing rules data store corresponding tothe second processing server and operable to provide processing rules tothe second processing server.
 63. The system as recited in claim 61,wherein the second processing server is operable to perform a predictivedata analysis of the result of the predictive analysis from the centralprocessing server.
 64. The system as recited in claim 61, wherein thesecond processing server is operable to obtain a set of processingresults from the central processing server and process the entire set ofprocessing results.
 65. The system as recite in claim 61, furthercomprising a third processing server operable to obtain the result fromthe second processing server and process the result according to aprocessing rule.
 66. The system as recited in claim 49, wherein theresult of the predictive analysis corresponds to the generation of anindicator of a threat condition.
 67. The system as recited in claim 49,wherein the result of the predictive analysis corresponds to thegeneration of an indicator of an action to be initiated.
 68. The systemas recited in claim 49, wherein the result of the predictive analysiscorresponds to the initiation of an output device by the firstprocessing system.
 69. The system as recited in claim 49, wherein thefirst processing system obtains one or more declarative rules from anauthorized user and modifies the predictive processing according to thedeclarative rules.
 70. The system of claim 49, wherein the monitoringdevice data corresponds to commercial sales data.
 71. The system ofclaim 70, wherein the predictive analysis corresponds to a prediction ofconsumer fraud.
 72. The system of claim 70, wherein the predictiveanalysis corresponds to a prediction of consumer spending.
 73. Thesystem of claim 49, wherein the monitoring device data corresponds todata associated with a military object and wherein the predictiveanalysis corresponds to a threat to the military object.